• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Critical Persistent XSS 0day in WordPress

April 27, 2015Marc-Alexandre Montpas

1.3k
SHARES
FacebookTwitterSubscribe

*Update 2015-04-27*: A patch has been released and made available by the WordPress Core Team in version 4.2.1 – Please update immediately.

Yes, you’ve read it right: a critical, unpatched XSS 0day in WordPress’ comment mechanisms was disclosed earlier today by Klikki Oy.

Who’s Affected?

If your WordPress site allows users to post comments via the WordPress commenting system, you’re at risk. An attacker could leverage a bug in the way comments are stored in the site’s database to insert malicious scripts on your site, thus potentially allowing them to infect your visitors with malware, inject SEO spam or even insert backdoor in the website’s code if the code runs when in a logged-in administrator browser.

You should definitely disable comments on your site until a patch is made available or leverage a WAF to protect your site and customers.

Technical Details

This vulnerability requires an attacker to send a comment long enough to force the backend MySQL database to truncate what is stored.

WordPress Database Schema

As you can see from the above schema, the comments texts are stored in the comment_content column which is a TEXT column, meaning a comment can only contain a maximum of 65535 bytes of data.

A typical exploit would look like the following:

<a href='x onclick=alert(1) AAAAAAAAAAAAAA..(multiplied so our comment contains more than 65k bytes)'>test</a>

Once taken back from the database would look like this:

<p><a href='x onclick=alert(1) AAAAAAA</p>

Some of you might have noticed that the resulting HTML tag isn’t complete, but this isn’t a problem for most modern browsers as most of them will simply patch it up automatically:

Screen Shot 2015-04-27 at 10.43.34 AM

This bug then allows anyone to insert any HTML tag attributes to his hyperlink, including Javascript event handlers.

What You Can Do

There’s a few thing you can do to prevent getting hacked before there’s an official patch being released:

  • You can disable comments on your site.
  • Leverage a Web Application Firewall to filter good requests from exploit attempts.

Hopefully the WordPress team will release a patch soon.

1.3k
SHARES
FacebookTwitterSubscribe

Categories: Vulnerability Disclosure, Website Malware Infections, WordPress SecurityTags: XSS, Zero-Day

About Marc-Alexandre Montpas

Marc-Alexandre Montpas is Sucuri’s Senior Security Analyst who joined the company in 2014. Marc’s main responsibilities include reversing security patches and scavenging vulnerabilities, old and new. His professional experience covers eight years of finding bugs in open-source software. When Marc isn’t breaking things, you might find him participating in a hacking CTF competition. Connect with him on Twitter.

Reader Interactions

Comments

  1. Caitlin DiMare-Oliver

    April 27, 2015

    Any word or knowledge on whether using a commenting system – like Disqus here – helps here? Or, because it still allows comments to be injected, are users of that plugin just as vulnerable?

    • Mike

      April 30, 2015

      Hey Cat! This is Mike L from Umass Lowell.. I was just reviewing this article for one of my clients and to my surprise found your comment!

      • Caitlin DiMare-Oliver

        April 30, 2015

        Dude! Hey! That’s wicked funny.

        You should catch me online sometime. @rentageekmom on twitter if you want to grab my email address. 🙂

  2. Anonymous

    April 27, 2015

    I also want to know if wordpress blogs using Disqus are affected. Also, would it help if all comments are moderated? Thanks.

    • Joomlaboy

      April 27, 2015

      As they said this is a method you as the admin can be the one attacked once you go to administer the comments so comment moderation is not a really good solution.

      • Anonymous

        April 27, 2015

        Thanks. Actually, I moderate Disqus comments via email or via the Disqus dashboard. With Disqus, I don’t have to administer comments inside wordpress via the admin dashboard. However, comments approved in Disqus will be synced to wordpress so that’s an area of concern. Any ideas?

      • Chris Dunst

        April 27, 2015

        Actually the Klikky Oy site says “the injected JavaScript apparently can’t be triggered in the administrative Dashboard so these exploits seem to require getting around comment moderation e.g. by posting one harmless comment first.”

        So making sure all comments go to moderation, then only approving genuine comments will protect you.

        WordPress has an option to allow ‘must have a previously approved comment moderations’, which won’t work, as a hacker could post a genuine comment, then come back to post the hack which bypasses moderation.

  3. Claudia

    April 27, 2015

    Does WordPress know about this? From the blog article you referenced, it doesn’t sound like WP is responding to them. I can disable comments for a day, but I can’t do it much longer than that. Can we count on a patch coming through?

    • Cedric

      April 27, 2015

      WordPress is aware of the issue and is working on a patch. If you have Akismet installed, these comments will already be automatically flagged as spam.

      • Claudia

        April 27, 2015

        Okay. I do have Akismet. I’ve routinely delete those spam comments to the trash. Should I just leave them for the time being?

      • Ade

        April 27, 2015

        So I simply shouldn’t check my spam queue then? Will it affect WordPress sites on 4.2 with Disqus installed?

      • Cedric

        April 27, 2015

        The vulnerability should not affect the comment queue in the administrative panel. The only risk is when the comment is approved and the administrator subsequently views the comment on the post’s page. You can empty your spam as usual.

        • Claudia

          April 27, 2015

          Thank you! In the meantime, I’ve disabled comments.

        • Elizabeth - SugarHero.com

          April 27, 2015

          So can we safely view the spam comments in the spam panel, as long as we don’t approve the infected ones? I routinely get legit comments sent to spam so I check my spam queue regularly. Comments downthread are suggesting that even viewing them could be dangerous?

          • Cedric

            April 27, 2015

            You can indeed safely view the spam comments in the spam panel (according to the researcher’s website) as long as you do not approve the malicious ones.

          • Elizabeth - SugarHero.com

            April 27, 2015

            Thanks very much, Cedric!

  4. SkyStats

    April 27, 2015

    I’m assuming the hacker would need to have an approved comment first otherwise this code would not appear without being approved by the Admin. Correct?

    • Marc Montpas

      April 27, 2015

      It entirely depends on how the site is configured. If you have the “Comment author must have a previously approved comment” option enabled, then yes :).

  5. Tony Perez

    April 27, 2015

    Updated, thanks.

  6. Chris Dunst

    April 27, 2015

    I’m a huge fan of WordPress, and I don’t know how much work is involved to patch this, but it’s very disappointing to read they haven’t responded to attempts to notify them about this vulnerability. Particularly as WP have been so proactive recently in pushing updates, and working with Yoast, Sucuri and other plugin authors to patch vulnerable plugins over the last few weeks.

    I’m sure virtually all website owners would prioritise security over functional improvements shipped with versions 4.1 and 4.2. Let’s hope this was some kind of communication breakdown.

  7. MonkeyMan

    April 27, 2015

    Looks like WP just pushed out 4.2.1 – i guess / hope thats the reaction to this? anyone?

  8. Ajax McKerral

    April 27, 2015

    I run Varnish in front of our webserver, and can filter requests before they hit Apache. I’ve done this to block Shellshock as well as common hacking attempts.

    I am wondering what the request might be – and then I could build a regex to deliver a 403 Error to any requests trying to exploit this. It’s not immediately obvious how these POST requests might look in the wild. I also suppose that Varnish can’t inspect POST requests – so it makes it a little difficult to block.

    Any thoughts?

    • David King

      April 28, 2015

      Maybe not the payload content, but perhaps you could put a rule in that limits request size (being that this is an overflow attack) for POST requests to the PHP comment post endpoint.

      (BTW, care to share your VCL for shellshock etc?)

  9. Veronica Solomon

    April 28, 2015

    Does this affect the wordpress jetpack comments?

  10. Secure Hunter

    April 28, 2015

    If you have Akismet running there is a good chance that the comments will get flagged as spam so do not check your spam queue.

  11. George ccto

    April 29, 2015

    Do you think the following .htaccess or apache config can mitigate the issue? thank you.

    LimitRequestBody 65000

  12. Zerberos

    June 12, 2015

    Thank you for this information, we will check our blogs for this problem.

  13. Edward Smithen

    November 30, 2015

    cool

  14. Edward Smithen

    November 30, 2015

    alert(“I am an alert box!”);

  15. Edward Smithen

    November 30, 2015

    hello word

  16. Edward Smithen

    November 30, 2015

    XSS

  17. financialhelp

    January 9, 2016

    With Gain Credit Personal Loans, you can get instant loan/money for a
    wide range of your personal needs like renovation of your home, marriage
    in the family, a family holiday, your child’s education, buying a
    house, medical expenses or any other emergencies. With minimum
    documentation, you can now avail a personal loan at attractive 3%
    interest rates. This is trust and honest loans which you will not
    regret, Contact us via Email: gaincreditloan01@gmail.com

  18. Mr Jubrin Nelson

    May 6, 2016

    Hello Everybody,

    I am Kristen Oh Lim I live in Baskent and i am a happy woman today? and i told my self that any lender that rescue my family from our poor situation, i will refer any person that is looking for loan to him, he gave me happiness to me and my family, i was in need of a loan of $45,000 to start my life all over as i am a single mother with 3 kids I met this honest amuslim man loan lender that help me with a loan of $45,000. he is a muslim man, if you are in need of loan and you will pay back the loan please

    contact him tell him that Kristen Oh Lim that refer you to him. Contact Mr.Jubrin nelson via email: (globalteamlendingfirm@gmail.com)

  19. Mr Jubrin Nelson

    May 6, 2016

    Hello, I am Malissa Delh, currently living in New jersey city, USA. I am a widow at the moment with three kids and i was stuck in a financial situation in February last 2016 and i needed to refinance and pay my bills. I tried seeking loans from various loan firms both private and corporate but never with success, and most banks declined my credit. But as God would have it, I was introduced to a Man of God a private loan lender who gave me a loan of $85,000USD and today am a business owner and my kids are doing well at the moment, if you must contact any firm with reference to securing a loan without collateral , no credit check, no co signer with just 3% interest rate and better repayment plans and schedule, please contact Mr Jubrin Nelson. He doesn’t know that am doing this but am so happy now and i decided to let people know more about him and also i want God to bless him more.You can contact him through his email: globalteamlendingfirm@gmail.com

  20. Zero Frechette

    August 28, 2016

    alert(“XSS”)

  21. Anony

    June 21, 2017

    WordPress fix this

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.